Topic

GRC

Risk quantification, policy architecture, and frameworks that survive audit.

Business Impact Analysis: a literature review of what actually works

Forty years of BIA research, three standards, and one uncomfortable finding: most organisations run the activity backwards — collecting RTOs as opinions instead of deriving them from quantified loss curves.

Read

ISO Standards·16 min

Why BCMS fails when nobody quantifies the cost of one bad day

A Monte Carlo simulation of a fictitious Telco shows the architecture was structurally incompatible with the business promise — 71% of scenarios breached the 8h RTO, median ALE USD 442K without treatment.

Read

ISO Standards·11 min

ISO 27001 Annex A.8 mapped to NIST CSF

A working crosswalk between Annex A.8 technological controls and the five NIST CSF functions, plus what auditors actually look for.

Read